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Cryptanalyse de Achterbahn-128/80 



Resume : Ce papier presente deux attaques sur Achterbahn-128/80, la derniere version 
d'un des algorithmes proposes dans le cadre de eSTREAM. L'attaque sur la version de 80 
bits, Achterbahn-80, est en 2^^-^"^. L'attaque sur Achterbahn-128 a besoin de 2'^^-^ calculs 
et 2^^ bits de suite chiffrante. Ces attaques sent basees sur une amelioration de l'attaque 
proposee par Hell et Johansson sur la version 2 d'Achterbahn et aussi sur un algorithme qui 
tire profit des petites longueurs des registres. 

Mots-cles : eSTREAM, chiffrement a flot, Achterbahn, attaques par correlation, relations 
de parite, cryptanalyse 
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1 Introduction 

Achterbahn ^i6j is a stream cipher proposal submitted to the eSTREAM project. After the 
cryptanalysis of the first two versions [HIE], it has moved on to a new one called Achterbahn- 
128/80 fE\ published in June 2006. Achterbahn- 128/80 corresponds to two keystream gen- 
erators with key sizes of 128 bits and 80 bits, respectively. Their maximal keystream length 
is limited to 2^^. 

We present here two attacks against both generators. The attack against the 80 bit 
variant, Achterbahn-80, has complexity 2^^-^"^. The attack against Achterbahn- 128 requires 
2''^-^ operations and 2^^ keystream bits. These attacks are based on an improvement of the 
attack against Achterbahn version 2 and also on an algorithm that makes profit of the short 
lengths of the constituent registers. 

The paper is organized as follows. Section 2 presents the main specifications of Achterbahn- 
128/80. Section 3 then describes the general principle of the attack proposed by Hell and 
Johansson ^ against the previous version of the cipher Achterbahn v2, since our attacks rely 
on a similar technique. We also exhibit a new attack against Achterbahn v2 with complexity 
2^^-^, while the best previously known attack had complexity 2^^. Section 4 then presents 
two attacks against Achterbahn-80 and Achterbahn- 128 respectively. 

1.1 Main specifications of Achterbahn-128 

Achterbahn-128 is a keystream generator, consisting of 13 binary nonhnear feedback shift 
registers (NLFSRs). The length of register i is Li = 21 + i for i ^ 0,1, ... , 12. These 
NLFSRs are primitive in the sense that their periods Ti are equal to 2^* — 1. The sequence 
which is used as an input to the Boolean combining function is not the output sequence of 
the NLFSR directly, but a shifted version of itself. The shift amount depends on the register 
number, but it is fixed for each register. In the following, Xi = (a:^i(i))(>o for < i < 12 
denotes the shifted version of the output of the register i at time t. 

The output of the keystream generator at time t, denoted by S{t), is the one of the 
Boolean combining function F with the inputs corresponding to the output sequences of the 
NLFSRs correctly shifted, i.e. S{t) — F{xo{t), . . . ,xi2{t)). The Boolean combining function 
F is given by: 

F{xo,Xi, ...,Xi2) = Xo + Xi + X2 + X3 + Xi + X5 + X7 + Xg + Xn + X12 + XqX^ + X2XW + 
X2X11 + X4X8 + X4X12 + X^Xe + XqXs + XqXio + XqXh + XqXi2 + XyXs + X7X12 + XsXg + XsXio + 
XgXio+XgXii+XQXi2+XioXi2+XoX5Xs+XoX5Xio+XoX5Xii+XoX5Xi2+XiX2Xs+XiX2Xi2 + 

a;ia;4a;io -t- Xix^xn + Xixg,xg + xiXgXw + xiXgXn -f xiXgXi2 + X2X3XS + X2X3X12 + X2X4XS + 
X2X4Xii^ + X2X4XII + X2X4X12 + X2XrXs + X2X7X12 + a;2a;8a;io -t- a;2a;8a;ii -|- X2XgXio + X2XgXn + 
2;2a;io2;i2 + a;2a;iia;i2 -I- X3X4XS + XZX4X12 + xzxg,xg + X3XgXi2 + X4XrXs + X4XtXi2 + X4Xg,xg + 

X4XgXi2+XzXfiXii+XzXiiXiQ+XzXfiXii + X<iXfiXi2+ XfiXiiXiQ+ XQXiiXii+ X(iXiQXi2+ XiiXiiXi2 + 

xrxsxg + Xjxgxi2 + a;8a;9Xio + xsXgXn + xgXioXu + xgxiixu + a;oX5X8a;io -I- xqx^xsXh + 
2^03^52^102^12 + xoa;5a;iia;i2 -I- X1X2X3XS + xiX2X3Xx2 + xiX2X-!Xs, + xia:2a;7a;i2 -I- xix^x^xg, + 
xiXzX;iXi2 + xix^x^xg + a;ia;3a;9Xi2 -I- xiX4X^xio + a;ia;4X8Xii -I- xia:4a;ioa;i2 + a;iX4a:iia;i2 + 
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XiXsXrXg + Xi_X5X7Xi_2 + XiXrXsXQ + XiXrXgXi2 + XiXsXgXio + XiXsXgXn + Xi_XgXi_oXi_2 + 
X1X9X11X12 + X2X3X4XS + X2X3XiXi2 + X2X3,X^X^ + X2X3X5X12 + X2X4X7X8 + X2X4XrXi2 + 

a;2a;4a:8a;io + X2XiXs.xii + 2:2X4X10X12 + X2X4X11X12 + X2X5X7X8 + X2X5X7X12 + X2X8X9X10 + 
X2X8X9X11 + X2X9X10X12 + X2X9X11X12 + X3X4X8X9 + X3X4X9X12 + X4X7X8X9 + X4X7X9X12 + 
X5X6X8X10 + X5X6X8X11 + X5X6X10X12 + X5X6X11X12. 

Its main cryptographic properties are : 

• balanccdncss 

• algebraic degree = 4 

• correlation immunity order = 8 

• nonlinearity = 3584 

• algebraic immunity = 4 

1.2 Main specifications of Achterbahn-80 

Achterbahn-80 consists of 11 registers, which are the same ones as in the above case, except 
for the first and the last ones. The Boolean combining function, G, is a sub-function of F : 

G{xi,. . . ,xii) = F(0,xi, . . . ,xii,0). 

Its main cryptographic properties are : 

• balancedness 

• algebraic degree = 4 

• correlation immunity order = 6 

• nonlinearity = 896 

• algebraic immunity = 4 

As we can see, Achterbahn-128 contains Achterbahn-80 as a substructure. 

1.3 The key-loading algorithm 

The key-loading algorithm uses the key K and an initial value IV. The method for initial- 
izing the registers is the following one: first of all, all registers are filled with the bits of 
i^l After that, register i is clocked a — Li times where a is the number of bits of K\ \IV, 
and the remaining bits of -ftr||/y are added to the feedback bit. Then, each register outputs 
one bit. Those bits are taken as input on the Boolean combining function, which outputs 
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a new bit. This bit is now added to the feedbacks for 32 additional clockings. Then we 
overwrite the last cell of each register with a 1, in order to avoid the all zero state. 

This algorithm has been modified in relation to the previous versions. The aim of this 
modification is to prevent the attacker from recovering the key K from the knowledge of the 
initial states of some registers. 



2 Attack against Achterbahn version 2 with complexity 
of 249-8 

2.1 Principle of Hell and Johansson attack against Achterbahn v2 

Achterbahn version 2 was the previous version of Achterbahn. The main and most important 
differences to this last one, which are used by the attack are that: 

• it had 10 registers, with lengths between 19 and 32 bits, 

• the Boolean function, /, had correlation immunity order 5. 

This version has been broken by Johansson and Hell ■ Their attack is a distinguishing 
attack that relies on the following well-known lemma, which is a particular case of [U Th. 
6]. 

Lemma 1 Let X be a random variable that takes its values into F2 with a distribution D 
close to the uniform distribution that is 

ProiX = 1] = ^{l+s)with \e\ < 1. 
Then, for a number of samples 




where d is a real number, the error probability of the optimal distinguisher is approximately 
$(— \/d/2), where $ is the distribution function of the standard normal distribution: 




In the following, we will consider d — 1 which corresponds to an error probability of 
about 0.3. The previous quantity e that measures the distance between D and the uniform 
distribution is called the bias of D. 

The attack proposed by Hell and .Johansson exploits a quadratic approximation q of the 
combining function /: 

q{yu---,yn) ^^Vi, + ^iyj.yk,) 
3=1 i=i 
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with m quadratic terms and which satisfies 

Pr[/(yi, . . . , y„) = q{yi, y„)] = ^(1 + e). 

We build the parity-check equations, as the ones introduced by [8j, that make disappear 
the quadratic terms by summing up: 

s m 

j=i i=i 

at 2™ different moments (t + r) moments, where r varies in the set of the linear combinations 
with 0—1 coefficients oiTj^Tk^^Tj^Ti^^, . . . ,Tj^Tk^. In the following, this set is denoted by 
{Tj^Tk,,. . .,T.j^TkJ), i.e: 

(TjiTfci , . . . , Tj^TkJ = < ^ c^Tj^ki , ci, . . . , c,„ e {0, 1} L 



This leads to 

pcit) = ^ q{t + T) 

•re{T,iTfej,...,Tj„Tfc„) 

^ {X,,{t + T) + ...+Xi^{t + T)). 

re{T,iTfc^,...,T,„Tfc„> 

We then decimate the sequence (pc(t))j->Q by the periods of p sequences among {xi^ {t))t>o, ■ ■ ■ , {xi^ {t))t>o- 
We can suppose here without loss of generality that the periods of the first p sequences have 
been chosen. 

Now a new parity-check, pcp, can be defined by: 

pcp{t) =pc{tT,^ ■■■Ti^)- 

This way, the infiuence of those p registers on the parity-check pcp{t) corresponds to the 
addition of a constant for alH > 0, so it will be or 1 for all the parity-checks. 

Now, the attack consists in performing an exhaustive search for the initial states of the 
(s — p) remaining registers, i.e. those of indices ip+i, ■ ■ ■ ,is- For each possible values for 
these initial states, we compute: 



-it) = E 

'r&{Tjj^Tkj^,...,Tj^Tk^) 

We have 



j=p+i 



(1) 



Pr[aW=0] = -(l-He^'"). 

Using this bias, we can distinguish the keystream {S{t))t>o from a random sequence and 
also recover the initial states of (s — p) constituent registers. 
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2.2 Complexity 

• We will have 2™ terms in each parity-check. That means that we need to compute 
£-2 _ 2"62 values of a(t) for mounting the distinguishing attack, where rib = 
logjE"^. Besides, a{t) is defined by ([1]), implying that the attack requires 

m 

2n62"+i+Ef=ii.j ^^2^^.+-^'=. keystream bits, 

where Li^ are the lengths of the registers associated to the periods by which we have 
decimated, and the last term corresponds to the maximal distance between the bits 
involved in each parity-check. 

• Time complexity will be 

where ip+i, ■ ■ ■ ,is are the indices of the registers by which period we have not dec- 
imated, so the registers over whom we have made an exhaustive search and whose 
initial state we are going to find. 

2.3 Example with Achterbahn version 2 

Hell and Johansson [7] have used this attack against Achterbahn version 2 with the following 
quadratic approximation: 

Q{xi, . . . , Xio) = Xi+ X2+ X3XS + XiXQ. 

Then, they decimate by the period of the second register, whose length is 22. After that, they 
make an exhaustive search over the first register, whose length is 19. Time complexity will 
be 2^^ and data complexity 2^^ °^. Using the small lengths of the registers, time complexity 
can be reduced below data complexity, so the final complexity of the attack will be 2^^ °^. 

2.4 Improvement of the Attack against Achterbahn version 2 

We are going to improve the previously described attack against Achterbahn v2 and we 
reduce the complexity to 2^^ ®. 

For this attack, we use the idea of associating the variables in order to reduce the number 
of terms that we will have in the parity-checks. The only effect that this could have on the 
final complexity of the attack is to enlarge the number of required keystream bits; but being 
careful, we make it stay the same while reducing the time complexity. 

The chosen approximation. At first, we searched between all the quadratics approx- 
imations of / with one and two quadratic terms, as the original attack presented by Hell 
and Johansson was based on a quadratic approximation. Finally, after looking after a trade- 
off between the number of terms, the number of variables, the bias... we found that none 
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quadratic approximation was better for this attack than Unear ones. It is worth noticing 
that, since the combining function / is 5-resiUent, any approximation of / involves at least 
6 input variables. Moreover, the highest bias corresponding to an approximation of / by a 
6- variable function is achieved by a function of degree one as proved in [3j . After analyzing 
all linear approximations of the Boolean combining function, we found that the best one 
was: 

g{xi, ... , xio) = xs + xe + X4, + X3 + X2 + xi. 
We have /(xi, . . . ,xio) = g{xi, . . . ,xio) with a probability of ^(1 + 2^^). 

Parity-checks. Let us build a parity-check as follows: 

999{t) - git) + git + TiTs) + git + T^Tq) + git + T^Ts + TsTg), 

with 

git) = xsit) + xeit) + Xiit) + x^it) + .xaW + xiit). 

The terms xs, xq, X2, xi will disappear and, so, gggit) is a sequence that depends uniquely on 
the sequences x^ and X4. Adding four times the approximation has the effect of multiplying 
the bias four times, so the bias of 

ait) = Sit) + Sit + TiTs) + Sit + T2T6) + S{t + TiTg + T^Tg) 

is 2^'^^'* = 2^^^ because 4 is the number of terms in gggit). That means that we will need 
23x4x2 _ 224 yg^iygg Qf ^jjg parity-check for detecting this bias. If we decimate gggit) by the 
period of register 3, we will need 

= 249-8 jjj^g Qf keystream, 

and time complexity will be 

2^4 X 2^^ = 249 

as we only guess the initial state of register 4. 

We consider that the total complexity is given by the data complexity, as it is higher 
than the time complexity. This complexity is 2^^-^ while the complexity of the previous 
attack was equal to 2^^. 

3 Cryptanalysis of Achterbahn- 128/80 

Now, we describe a new attack against Achterbahn-80 with a complexity of 2^^-^^ where a 
linear approximation of the output function is considered. The attack is a distinguishing 
attack but it also allows to recover the initial states of certain constituent registers. We also 
describe an attack against Achterbahn-128 with a complexity of 2''^-4 -(vhere we consider a 
linear approximation of the output function and we make profit of the short lengths of the 
registers involved in the proposed stream cipher. 
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3.1 Cryptanalysis of Achterbahn-80 

This attack is very similar to the improvement of the attack against Achterbahn version 2 
which has been described in the previous section. 

Our attack exploits the following linear approximation of the combining function G: 

i{Xl, . . . ,Xll) = Xl + .T3 + X4 + X5 + Xa + Xj + Xio. 

Since G is 6-resilient, £ is the best approximation by a 7-variable function. 

For £{t) = xi{t) +X3{t) +X4,{t) +X5{t) + xe{t) +X7{t) + xio{t), the keystream {S{t))^^Q 
satisfies Pr[5(i) = i{t)] = ^(1 - 2-^). 

Parity-checks. Let us build a parity-check as follows: 

U{t) = £{t) + £{t + T4T7) + t{t + TqT^) + e{t + TiTr + nn). 

The terms containing the sequences Xi,x^,XQ, x-j vanish in U{t), so (.l{t) depends exclusively 
on the sequences xi, x^ and Xio- 

Adding four times the approximation has the effect of multiplying the bias four times, 
so the bias of 

<j{t) = S{t) + S{t + TrT4) + S{t + nn) + S{t + TrT4 + TgTs) 

where (5(i))(>o is the keystream, is 2~^^^. This means that we need 2^^'*^^ = 2^^ parity- 
checks a{t) to detect this bias. 

We now decimate a{t) by the period of the register 10, which is involved in the parity- 
check, so we create like this a new parity-check: 

Then, the attack performs an exhaustive search for the initial states of registers 1 and 3. Its 
time complexity is 2"^^ x 2^1+^^ = 2™. 

The number of keystream bits that we need is 

2^^ X Tio + TiTj + TqT5 = 2^^-^^ 

3.2 Cryptanalysis of Achterbahn-128 

Now, we present a distinguishing attack against the 128-bit version of Achterbahn which 
also recovers the initial states of two registers. 

We consider the following approximation of the combining function F: 

£{Xo, • • • , X12) = Xq + X3 + XT + X4 + .Xio + Xs + Xg + Xl + X2- 

Then, for i{t) — xo{t) + X3{t) + xj{t) + X4{t) + xio{t) + xs{t) + xg{t) + xi{t) + X2{t), we have 
PT[S{t)=£{t)] = l{l + 2-^). 
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Parity-checks. The period of any sequence obtained by combining the registers 0, 3 and 
7 is equal to lcm(To, Tg, Tr), i.e. 2^^-^ as To T3 and T7 have common divisors. We are going 
to denote this value by Tq^sj. 

If we build a parity check as follows: 

m{t)= ^{t + r), 

■'"e{7b,3,7,T4,io,T8^9) 

the terms containing the sequences xq, X3, xt, X4, xio, xs, xg will disappear from ££i{t), so 
£££{t) depends exclusively on the sequences Xi and X2: 

£££{t) = ^ £{t + T) 

■'"e{To,3,7>r4,lo,T8,9) 

^ Xi{t + t) + X2{t + t) 

(T'o,3,7,T4_io,T8_9) 

= ai(i)+(T2W, 

where <Ji(t) and (72 (i) are the parity-checks calculated on the sequences generated by NLFSRs 
1 and 2. 

Adding eight times the approximation has the effect of multiplying the bias eight times, 
so the bias of 

■'"G{To,3,7,T4,io,T8_9) 

where {S{t))t>o is the keystream, is 2~^^^. So: 

Pr[a(i)+ai(t)+a2(i) = l] = ^(l-e'). 

This means that we need 2^x8x2 ^ ^.^j^j^j, ^^^^ _^ ^^^^^ _^ ^^^^^ ^^^^^^ ^j^-g ^^-^^g^ 

We now describe an algorithm for computing the sum a{t) +ai(t) +a2{t) over all values 
of t. This algorithm has a lower complexity than an exhaustive search for the initial states 
of the registers 1 and 2 simultaneously. Here we use (2*^ — 2) values of t since (2^* — 2) = 
T2 X (225 + 2). 
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We can write it down as follows: 



t'=0 



T2-I 2-"' + l 

') = EE 'y{T2t + k) ® m{T2t + k) 

fc=0 t=0 
T2-I 2^^ + l 

= J] ^ CT(T2t + fc)e(Ti(T2t + fc)e(T2(T2i + fc) 



fe=0 t=0 

T2-1 



= E 



fe=0 



'2^-^ + 1 



(<72(A;)el) E <^{T2t + k) ® ai{T2t + k) + 



G2{k) (225 + 2)- ^ tT(r2i + /c)®(Ji(T2t + A:) 



t=0 



since G2{T2t + /e) is constant for a fixed value of k. 

At this point, we can obtain ^{t) from the keystream and we can make an exhaustive 
search for the initial state of register 1. More precisely: 

• We choose an initial state for register 2, e.g. the all one initial state. We compute and 
save a binary vector V2 of length T2: 

V2[k]=a2{k), 

where the sequence X2 is generated from the choosen initial state. The complexity of 
this state is T2 x 2^ operations. 

• For each possible initial state of register 1: 

— we compute and save a vector Vi composed of T2 integers of 26 bits. 

2=^+1 



Vi[k] = (^{T2t + k)®(Ji{T2t + k). 



The complexity of this state is: 

for each possible initial state of register 1, where 24 corresponds to the number 
of operations required for computing each {a{t) + ai{t)) and (2^5 + 2) x 24 '' = 
(2^5 + 2) X 26 is the cost of summing up 2^^ _|_ 2 integers of 26 bits. 

For each possible i from to T2 — 1: 
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* we define V^' of length T2 : 

V^[k]^V2[k + i modTa]. 

Actually, iV2[k]) /^^j,^ corresponds to {'^2{k))^^j,^ when the initial state of 
register 2 corresponds to internal state after clocking R2 i times from the all 
one initial state. 

* With the two vectors that we have obtained, we compute: 

E [(^2 [fc] ® 1) V,[k] + V^ik] (2^5 + 2 - V,[k])] . (2) 

When we do this with the correct initial states of registers 1 and 2, we will find the 
expected bias. 

for each possible initial state of Rl do 
for fc = to T2 — 1 do 

Vi[k] = Ef=o^ ^{T^t + fc) e ai(r2t + fc) 
end for 

for each possible initial i state of R2 do 
for fc = to r2 - 1 do 

Vi[k] = V2[k + i modT2] 
end for 

Ello' [(^2 W ® 1) VM + vi[k] (225 + 2 - v,[k])] 

if we find the bias then 

return the initial states of Rl and R2 
end if 
end for 
end for 

Table 1: Algorithm for finding the initial states of registers 1 and 2 



The total time complexity of the attack is going to be: 

Ti X [2-*^ X (2-^ + 2'*-^) + T2 X 2 X T2 X 2'^'^] +^2x2^ = 2^^■^ 

where 2 x T2 x 2^ '' is the time it takes to compute the sum described by (O- Actually, we 
can speed up the process by rewriting the sum |[2|) in the following way 



fc=0 



The issue is now to find the i that maximizes this sum, this is the same as computing the 
maximum of the crosscorrelation of two sequences of length T2 . We can do that efficiently 
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using a fast Fourier transform as explained in |2l pages 306-312]. The final complexity will 
be in 0{T2 \0gT2). Anyway, this does not change our total complexity as the higher term is 
the first one. 

The complexity is going to be, finally: 

Ti X [2*8 X (2* + 24-7) + 0(T2 logT^)] + T2 x 2^ = 2'^-\ 

The length of keystream needed is: 

n,3,7 + T4,io + T8,9 + 2^8 < 2^1 bits. 

4 Conclusion 

We have proposed an attack against Achterbahn-80 in 2™. To this attack we can apply the 
same algorithm as the one described in Section 3.2 against Achterbahn-128, and its time 
complexity will be reduced to about 2^^, so we can consider as the total complexity the 
length of the keystream needed, since it is bigger. The complexity of the attack against 
Achterbahn-80 will then be 2^^-^^. An attack against Achterbahn-128 is also proposed in 
2''^-^ where fewer than 2^^ bits of keystream are required. The complexities of the best 
attacks against all versions of Achterbahn are summarized in the following table: 



version 


data complexity 


time complexity 


references 


vl (80-bit) 


232 


255 


18] 


v2 (80-bit) 


259.02 


262 


17] 


v2 (80-bit) 


249.8 


249 




v80 (80-bit) 


256.32 


246 




vl28 (128-bit) 


260 


275.4 





Table 2: Attacks complexities against all versions of Achterbahn 
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